CVE-2024-22202

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 3.2.5

Description The issue allows an attacker to spoof another user's details, making a compelling phishing case for removing another user's account. Although the front-end of the user removal page does not allow changing form details, an attacker can use a proxy to intercept the request and submit other data. Upon submitting the form, an email is sent to the administrator, who has no way of telling the difference between the actual user wishing to delete their account or the attacker issuing this for an account they do not control. The API endpoint /user/request-removal is involved in this issue, where an attacker can edit the request before sending it, changing fields such as username, Your name, and Your email address to the details of another user.

Recommendations For versions prior to 3.2.5, update to version 3.2.5 to resolve the issue. As a temporary workaround, consider restricting access to the /user/request-removal endpoint until the update is applied. Additionally, administrators should be cautious when receiving account deletion requests and verify the authenticity of such requests through alternative means.